它是如何配置的

它是如何配置的

如何ssh使用空密码创建正确安全的帐户来运行受信任的二进制文件?我想为随机用户制作一种“虚拟 ssh Kiosk”,同时将“演示应用程序”限制在 ssh“伪用户”后面。

我所说的“安全”是指“为随机访问者运行演示应用程序的服务器的安全”。基本上将 ssh 帐户后面的应用程序作为服务提供服务,类似于 https 服务网站。

(出于此问题的目的,我们假设我们信任/bin/cat/usr/bin/cat- 根据服务器的系统,请检查您的系统which echo

在工作的同时https://goo.gl/TjhrWd,我遇到了将密码设为空的问题。 PAM 拒绝它。

它是如何配置的

这是我使用的配置,并且在为用户设置密码时起作用cat- 它也被描述在https://goo.gl/TjhrWd

# below configured on Ubuntu Server 14.04 LTS
addgroup catonly
CHROOT=/var/chroot/cat
# now let's make pseudo-shell binary, executing your ForceCommand (check source)
# you can use bash as default shell instead, I prefer sth less bloated.
cd /tmp
wget 'https://gist.githubusercontent.com/gwpl/abcbc74c2bf377945a49097237edfb9b/raw/1993e8acc4bd66329959b1a658fcce4296d2a80c/only_exec_command.c'
gcc only_exec_command.c -static -o only_exec_command
mkdir -p "$CHROOT"/{bin,lib,lib64,dev/pts,home/cat}
chown root:root /var/chroot "$CHROOT"
# dependig on distro it might be /usr/bin/cat -> check with `which cat`
useradd -d /home/cat -s /bin/only_exec_command -M -N -g catonly cat
passwd -d cat
# Let's make chroot
cp /tmp/only_exec_command "$CHROOT"/bin/
cp /bin/cat "$CHROOT"/bin/
mknod -m 666 "$CHROOT"/dev/null c 1 3
ldd /bin/cat # tells us which libraries to copy
cp /lib/x86_64-linux-gnu/libc.so.6 "$CHROOT"/lib
cp /lib64/ld-linux-x86-64.so.2 "$CHROOT"/lib64
chown cat:catonly "$CHROOT"/home/cat
chown root:root /var/chroot/cat /var/chroot /var
$ $EDITOR /etc/ssh/sshd_config # add:
Match user cat
       ChrootDirectory /var/chroot/cat
       X11Forwarding no
       AllowTcpForwarding no
       # dependig on distro it might be /usr/bin/cat -> check with `which cat`
       ForceCommand /bin/cat
       PasswordAuthentication yes
       PermitEmptyPasswords yes

症状表明是 PAM

但尝试ssh,会导致要求输入密码,并在拒绝时提供空结果:

ssh [email protected]
[email protected]'s password:
Permission denied, please try again.

在以调试模式运行的服务器端,日志中没有任何有趣的内容,让我引用服务器端部分,在登录期间,输入空密码后:

/usr/sbin/sshd -ddd -p 1234
(...)
debug1: userauth-request for user echo service ssh-connection method password [preauth]
debug1: attempt 2 failures 1 [preauth]
debug2: input_userauth_request: try method password [preauth]
debug3: mm_auth_password entering [preauth]
debug3: mm_request_send entering: type 12 [preauth]
debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD [preauth]
debug3: mm_request_receive_expect entering: type 13 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 12
debug3: PAM: sshpam_passwd_conv called with 1 messages
debug1: PAM: password authentication failed for echo: Authentication failure
debug3: mm_answer_authpassword: sending result 0
debug3: mm_request_send entering: type 13
Failed password for echo from 192.168.1.1 port 43816 ssh2
debug3: mm_auth_password: user not authenticated [preauth]
debug3: userauth_finish: failure partial=0 next methods="publickey,password" [preauth]

答案1

您还需要告知PAM您希望允许空密码。有一些过时的教程描述了这一点。但简而言之:

sudo sed -i 's/nullok_secure/nullok/' /etc/pam.d/common-auth

应该做这项工作。

答案2

要正确地安全的ssh访问,你必须不是允许身份验证免费登录。设置 RSA 密钥进行身份验证,然后客户端可以使用该密钥而无需密码。

相关内容